From 40093b2fa7dde4a5f3c6806aad91b9302c232903 Mon Sep 17 00:00:00 2001
From: webchick <webchick@24967.no-reply.drupal.org>
Date: Wed, 1 Feb 2012 13:29:51 -0800
Subject: SA-CORE-2012-001

---
 modules/file/tests/file.test | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

(limited to 'modules/file/tests')

diff --git a/modules/file/tests/file.test b/modules/file/tests/file.test
index 59f6e0cb0..324faffc4 100644
--- a/modules/file/tests/file.test
+++ b/modules/file/tests/file.test
@@ -1107,7 +1107,7 @@ class FilePrivateTestCase extends FileFieldTestCase {
   }
 
   function setUp() {
-    parent::setUp('node_access_test');
+    parent::setUp(array('node_access_test', 'field_test'));
     node_access_rebuild();
     variable_set('node_access_test_private', TRUE);
   }
@@ -1124,6 +1124,10 @@ class FilePrivateTestCase extends FileFieldTestCase {
     $field_name = strtolower($this->randomName());
     $this->createFileField($field_name, $type_name, array('uri_scheme' => 'private'));
 
+    // Create a field with no view access - see field_test_field_access().
+    $no_access_field_name = 'field_no_view_access';
+    $this->createFileField($no_access_field_name, $type_name, array('uri_scheme' => 'private'));
+
     $test_file = $this->getTestFile('text');
     $nid = $this->uploadNodeFile($test_file, $field_name, $type_name, TRUE, array('private' => TRUE));
     $node = node_load($nid, NULL, TRUE);
@@ -1134,5 +1138,14 @@ class FilePrivateTestCase extends FileFieldTestCase {
     $this->drupalLogOut();
     $this->drupalGet(file_create_url($node_file->uri));
     $this->assertResponse(403, t('Confirmed that access is denied for the file without the needed permission.'));
+
+    // Test with the field that should deny access through field access.
+    $this->drupalLogin($this->admin_user);
+    $nid = $this->uploadNodeFile($test_file, $no_access_field_name, $type_name, TRUE, array('private' => TRUE));
+    $node = node_load($nid, NULL, TRUE);
+    $node_file = (object) $node->{$no_access_field_name}[LANGUAGE_NONE][0];
+    // Ensure the file cannot be downloaded.
+    $this->drupalGet(file_create_url($node_file->uri));
+    $this->assertResponse(403, t('Confirmed that access is denied for the file without view field access permission.'));
   }
 }
-- 
cgit v1.2.3